{% if rewrite %}
RewriteEngine On
RewriteRule ^{{remotepath}}$ %{REQUEST_URI}/ [R=301]

{% endif %}
{% if header_scheme %}
RequestHeader set X-Forwarded-Scheme https early
RequestHeader set X-Scheme https early
RequestHeader set X-Forwarded-Proto https early

{% endif %}
{% if header_expect %}
RequestHeader unset Expect early

{% endif %}
{% if keephost %}
ProxyPreserveHost On
{% endif %}

# If you are a krb5 purist, please skip this.
# This is (ab)using the fact that krb5 replay cache is local to a server to protect against local attacks
#  while having an auth check on the proxies.
# This is done because when fedpkg uploads a tarball, PycURL first sends an Expect: 100-Continue, but
#  unless the proxy is aware of the auth requirement, it will send the 100-Continue immediately, after
#  which the request will still fail (because pkgs will require auth).
# What we do here is make the proxies require GSSAPI auth with the same keytab that pkgs uses.
# As a consequence, the auth request is made by the proxies, avoiding the 100-Continue that causes
#  files to be uploaded twice.
# However, I did not want to make the proxies send a plain HTTP header, since this means that whenever
#  someone gets into the local network, they could send their own request to the pkgs server, which will
#  then trust any username header (terrible idea, see CVE-2016-1000038).
# So, instead, I just depend on mod_proxy forwarding the Authorization: Negotiate header that the client
#  sends on to pkgs, which will then *again* start a new GSSAPI security context and that way
#  authenticate the user on its own accord.
# This depends on the fact that the krb5 replace cache is local, since both the terminating proxy *and*
#  pkgs will accept the GSSAPI security context.

<Location /repo/pkgs/upload.cgi>
	AuthType GSSAPI
	AuthName "GSSAPI Single Sign On Login"
	GssapiCredStore keytab:/etc/pkgs.keytab
	Require valid-user
</Location>

{% if datacenter == 'iad2' %}
ProxyPass {{ localpath }} {{ proxyurl }}{{remotepath}}
ProxyPassReverse {{ localpath }} {{ proxyurl }}{{remotepath}}
{% else %}
Redirect 421 /
{% endif %}
